BPFDoor Linux backdoor with HTTPS-hidden trigger packets
Malware Activity
Summary
Hide ▲
Show ▼
A newly disclosed BPFDoor variant is hiding trigger packets inside HTTPS traffic and using ICMP between infected hosts, making the Linux backdoor harder to detect in telecom environments. The implant is built for persistent access and low-noise control rather than loud exploitation. Its covert design increases the risk of long-term operator presence and lateral movement on compromised systems.
Related Happenings
TrojPix air-gap covert channel turns video cables into a high-speed exfiltration path
Technical Analysis
H score20
First: 06.07.2026 11:50
Last: 06.07.2026 11:50
Sources 1
About this happening:
**TrojPix** introduces a new **air-gap exfiltration** technique that uses **imperceptible pixel modulation** and **video cable emissions** to move data out of isolated systems, ra...
TrojPix air-gap covert channel turns video cables into a high-speed exfiltration path
Technical AnalysisAbout this happening: **TrojPix** introduces a new **air-gap exfiltration** technique that uses **imperceptible pixel modulation** and **video cable emissions** to move data out of isolated systems, ra...
SilentGlass launch as a monitor-connection protection security device
Security Tool/Service
H score46
First: 22.04.2026 18:00
Last: 22.04.2026 18:00
Sources 1
About this happening:
The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
SilentGlass launch as a monitor-connection protection security device
Security Tool/ServiceAbout this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
H score1
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware Activity
H score27
First: 18.04.2026 09:01
Last: 18.04.2026 09:01
Sources 1
About this happening:
**Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Nexcorium Mirai botnet activity on TBK DVR devices
Malware ActivityAbout this happening: **Nexcorium**, a **Mirai variant**, is now being deployed against **TBK DVR-4104** and **DVR-4216** devices by exploiting **CVE-2024-3721**, turning compromised IoT hardware into...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware Activity
H score32
First: 17.04.2026 22:10
Last: 17.04.2026 22:10
Sources 1
About this happening:
**Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
Payouts King ransomware QEMU reverse SSH backdoor activity
Malware ActivityAbout this happening: **Payouts King ransomware** is using **QEMU** hidden virtual machines and a **reverse SSH backdoor** to keep covert access on compromised hosts and evade endpoint security. The ma...
Timeline
-
26.03.2026 19:40 2 articles · 3mo ago
BPFDoor variant hides activation in HTTPS traffic
Technical Analysis UpdateA newly documented BPFDoor variant extends a Linux backdoor by installing a kernel-level BPF filter, concealing the activation marker inside seemingly legitimate HTTPS traffic with a fixed-byte-offset check for the string "9999", and adding ICMP-based host-to-host communication for stealthy control and lateral movement in enterprise and telecom environments.
Show sources
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40
- China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks — thehackernews.com — 26.03.2026 19:40